The most likely way that you will be compromised online is through a simple phish or a socially engineered attack. Today, these two techniques are often combined to create an even more threatening attack, an intelligently targeted phish.
Thanks to the wealth of information that we all leave behind us as we use the Internet, it is easier than ever for a social engineer to learn our name, address, place of work, and in many cases, email addresses - both personal and work emails are often accessible to social engineers.
Using Google, Whitepages.com, services like Spokeo, LexisNexis, Facebook, LinkedIn and other sites, it is surprisingly easy to learn where someone lives, where someone works, their phone numbers and their email addresses. With just a little more work, a social engineer can discover their target's spouse's name, the names and schools of their children, the location of their last vacation, their outstanding mortgage, social security numbers, credit ratings and their approximate net worth. In fact, often, all of this can be uncovered in about fifteen minutes! With more time, the names of the target's key work colleagues and possibly the names of some of the target's key friends can be found, too.
Phish Anatomy
The social engineers have everything they need to wreak havoc through a carefully crafted email. And they do.
Modern phishing attacks employ a variety of strategies to try to compromise your machine or mobile device. And because the phishers know that everyone uses their work machines to access not just their work emails, but their personal email accounts from inside their corporate network, an attack leveraging a friend or family identity made during business hours can be extremely effective.
FIRST: the phish will seem to originate from someone you know - this person could be a colleague, a superior, or a department head from your work. The person could just as easily be a family member, friend, relative, someone from your garden club, or a teacher or administrator from your child's school. Really, in today's world, they could be anyone - but in the case of a targeted attack, it will be from someone who you recognize.
SECOND: the phish will have some kind required or desired action. A new corporate procedure or update, perhaps. Or a request to have you review a document. From a personal friend, it could be a request for you to review you contact information for a club/organization address book, or the highlighting of an interesting article for you to read. From a relative, it could be anything, from a supposed photo of a long past family member or a promised humorous video of a family member. Whatever it is, it will seem like a completely ordinary request.
THIRD: the email will contain a payload - malware, spyware, ransomware, or you-name-it-ware. This malicious code will be embedded in the attachment or distributed when you follow the link in the email. When you click on the attachment, or travel to the linked site, you instantly become the victim.
How Do You Tell Real From Fake?
Does this mean that all email is evil? That you cannot ever open an attachment again? No, it doesn't mean that at all. It is often easy to differentiate between most legitimate emails and the bad stuff.
First, it turns out that most of us have a pretty small set of common correspondents. And within that inner circle, you know enough about who they are, and their interests to decide if any email from them is out of the ordinary. You'll know it from their tone, from the way they address you, and from the think they are “sending" to you. Trust your instincts.
It is often easy to learn where someone lives, where someone works, their phone numbers and their email addresses.
When you get an email from a personal friend outside your inner circle, that's when the warning bells should go off. You should be thinking “why would they send this email to me?". Then you should look at the sending domain carefully. The bad guys will know your friend's name, but they won't be able to send from your friend's email address. Usually, by clicking on the sender, you can see the sender's email domain. If the domain doesn't make sense, don't go any further.
For intelligent phish that arrive at work, from work sources, it is much more difficult. First, ask your colleagues about the email. Did they get it? Did it make sense? Review the sending domain - if it didn't originate from your legitimate corporate domain, be very suspicious. Finally, if doubt remains, before clicking on anything, contact the department that allegedly sent you the email (just as you would contact your bank, or your credit card company if they sent you an unusual email). They will not be upset if you ask they to verify that they sent the email. If they did, there has been no harm. If they didn't, you will have helped to prevent an outside attack on your company. If you decide to contact the department-- do not call the phone number in the email - the phishers are way ahead of you there -- that number is staffed, ready to reply to your request.
PhishLabs Phishing Solutions
The PhishLabs SMART platform delivers full antiphishing protection, through integrated domain monitoring, MX Record tracking, wide scale phish capture and evaluation, and unsurpassed mitigation services. Through the unique combination of technology based detection and initial evaluation, backed by experienced identity theft and anti-phishing specialists, PhishLabs is able to offer detection and mitigation of generic phishing attacks, as well as the sophisticated modern phishing attacks that threaten organization with plausible, socially engineered emails. We provide enterprise-class effectiveness in each of the three major phases of anti-phishing protection. We are constantly monitoring for new domains with names that mimic yours and for domains with other infringing content. We have one of the industry's most complete infrastructures for capturing phish “in the wild". We provide full-scale mitigation services to neutralize phishing attacks and phishing sites. From detection through mitigation, PhishLabs is able to provide enterprise-class anti phishing services that not only completely satisfy the needs of small and medium sized business and institutions, but also scale to meet the demands of the highest volume clients in the world.